'Made in Jail' -- Meet the Russians who engineered the biggest hack in history
FSB Building in Moscow (Wikimedia Commons/A. Savin)
What's really going on inside Center 18 -- the cybersecurity office of the Russian FSB? And who exactly were the Russians behind the hack of Yahoo. For Episode 3 of our Breach podcast, we dig deep inside Russia's cyber-hacking machine with the help of Moscow-based journalist Andrei Soldatov . He's co-author of "The Red Web: The Struggle Between Russia’s Digital Dictators and the New Online Revolutionaries." Listen by hitting play below, or read this partial transcript. Or, go back to the beginning if this is your first time here. Or listen on iTunes.
ANDREI:
These days, of course, it’s not about spies, it’s about control.
ALIA: So the FSB has different counterintelligence units that are no longer just about keeping the US out, but exist to infiltrate and control many different parts of Russian life. The FSB has the right to send agents inside any Russian financial institution or big business, just to keep them in line. And in 2002, Putin even gave the FSB power to spy on the GRU, the military agency. So the FSB is in charge of controlling things in the Army.
ANDREI:
And of course the GRU is not very happy about it.
ALIA:
It just sounds to me like the FSB is like an octopus with tentacles on everything.
ANDREI:
Yeah, absolutely.
ALIA:
So we have this giant agency, the FSB, with power all over the place. And inside the FSB, is a special division in charge of cyber activity.
ANDREI:
And officially Information Security Center is in charge of hunting down cyber criminals.
ALIA:
And this is where our story begins: the Center for Information Security, A.K.A. Center 18. When we started this project, I always pictured Center 18 as this buzzing modern complex, giant ominous architecture, servers on servers, perhaps an omniscient cyborg submerged in goo, and lots of people wearing sunglasses indoors.
ANDREI:
You mean the information security building? Yeah, it’s a it’s a ugly rectangular building. And it’s gray.
ALIA:
While it may not look very cool, Center 18 the Information Security Center, plays an incredibly important role. While the FSB agents at Center 18 are in charge of gathering cyber intelligence online, they’re also in charge of hunting, tracking, and prosecuting cyber criminals. So imagine you’re working at Center 18, in Russia which has a huge community of hacking talent, and you’re job is to: identify and prosecute the most sophisticated local hackers AND to pull off sophisticated hacks.
ANDREI:
It means that it makes this unit uniquely positioned to recruit these hackers, because they are in charge of sending them to jail.
ALIA:
And those criminal hackers’ actions wouldn't necessarily be traced back to your work at Center 18 since, ostensibly, you’re busy prosecuting them. And the local hackers aren’t in any position to disclose anything you’re doing at Center 18.
ANDREI:
Because they understand that they are completely under control.
ALIA:
A pipeline of hackers who can accomplish your goals without incriminating you. And best of all, you have control.
ANDREI:
That makes hackers, real criminal hackers, so precious.
ALIA:
Which leads us to Yahoo.
ANDREI:
To be honest it was the very first time, the very first case when we see, when we see an FSB officer recruiting a Russian hacker to do something, in this case against Yahoo. The problem here, and just to give you another layer of complexity- ALIA:
Oh good, another layer of complexity.
ANDREI:
Whether he acted as just a guy, a corrupted guy, or he was (active) because he was ordered to recruit criminal hacker.
ALIA:
In other words, in the case of the FSB using Center 18 to recruit hackers to breach Yahoo, it's hard to tell who started it. Who recruited whom? Who was going to go to jail if they didn't do it, or was already hacking into Yahoo and Center 18 found out and wanted to use it?
ANDREI:
The biggest problem is to understand and to identify a final mastermind.
ANDREI:
The biggest problem is to understand and to identify a final mastermind. Who actually was behind this operation? That’s the biggest problem.
ALIA:
Maybe we don't know the final mastermind, but we have four alleged criminals outlined in the Russian Yahoo indictment. First is Igor Sushchin. He's the first of our indicted four. We need a theme for indicted four.
So Igor Sushchin is the most mysterious.
BOB:
Yeah, so we know he is described as an FSB officer, but it doesn't seem that he worked for the Center for Information Security.
ANDREI:
Well with Sushchin, it seems to be another FSB officer. But with him, to be honest, it’s very difficult to understand anything about his role, because he is officially not part of the Information Security Center.
BOB:
Yeah, there’s not much we know about him. But we do know that he worked information security at Renaissance Capital. It sounds like his job was to monitor employees there. But he was also in some sort of management role at the Russian FSB.
ANDREI:
He probably was attached to this company to supervise things there. Or probably it was a kind of intelligence cover for him.
BOB:
So, in other words it doesn’t seem like he worked in the same department as Dokuchaev at the FSB.
ALIA:
One other thing we also know about him, is that he told Dokuchaev to direct hackers for the Yahoo hack.
BOB:
Yes, he appears to be Dokuchaev’s boss in this operation.
ALIA:
So, he's kind of like the head suit.
BOB:
Yeah, he’s management.
ALIA:
Dokuchaev being Dmitry Dokuchaev. Dmitry Dokuchaev is the hacker turned kind of suit, allegedly leading the attack on Yahoo from Center 18, the Information Security Service within the FSB.
(BREAKING NEWS NOTE: Dokuchaev just agreed to plead guilty in Russia. )
BOB:
So he's interesting, because he's probably the most classic hacker of this group. In other words he started life as a traditional credit card trader, probably as a teenager, and apparently worked his way up to the point where he's an operative of, allegedly, the Russian FSB.
ANDREI:
Actually you cannot just join the FSB, you should be recommended. And in many cases you are recommended by your relatives. But for Dokuchaev it was different. Dokuchaev was unusually a hacker. He was a kind of criminal hacker, and it looked like he was recruited by the FSB. Then he was promoted from say, from from being an asset an agent, to he actually he became an officer of the FSB. It’s very unusual, I would say, and he became very successful.
BOB:
He was actually relatively famous in the carder world, he had lots of nicknames. And then at some point he I guess upped his game and then started to work at the FSB. Other things that are important to know about Dokuchaev, right after the Trump election there was a serious shakeup in Moscow, and it was right after Obama had announced sanctions because of alleged Russian interference in the US election. A couple of folks were arrested by Russian authorities and charged with treason. One was a security head at a huge international Russian antivirus company. That was the more famous of the two, but Dokuchaev was the other one. It’s not clear why he was arrested. He was arrested and allegedly charged with treason there. There is some suspicion that he may have had a role in telling the US what Russia did during the election.
ALIA:
So he might've been a double agent?
BOB:
People think he might be a double agent. We don't know, he's locked up in a prison right now.
ALIA:
So nobody from the press, nobody at all can talk to him.
BOB:
As far as we know, he hasn't spoken to anybody.
ALIA:
That's fishy. Yeah that seems really convenient that he's in prison where he can't speak to anybody, because even if he talked to the US, nobody can prove it.
BOB:
Sometimes prisons are the safest place for people. He might be safe from Russian authorities, he might be safe from US authorities, he might be safe from other people he's angered in the underground. But where he is, he's unavailable to talk about what he did, and that's clearly in someone's interest.
ALIA:
If Sushchin is our management, if we can kind of stay in that sort of business lingo for a second, what is Dokuchaev?
BOB:
He's the middle manager.
ALIA:
He's middle-management.
BOB:
Yeah, he's he's taking orders from Sushchin and he's giving them to other people. So he is the connection between the FSB and the hacking underworld. He came from that world, so he clearly has connections there, so he's managing the outside hackers.
ALIA:
He's the man for the job.
BOB:
He’s giving marching orders, specific marching orders.
ALIA:
And the hacker getting these marching orders from Center 18 is Alexsey Belan.
So Alexsey Belan, he's our main Yahoo hacker.
BOB:
He’s a bit of a legend in the Russian hacking world. What we know is that he's been involved in some really big profile attacks, not just Yahoo, but dating way back to one of the big retail hacks. He was probably behind the Zappos hack for example. He may have been involved even in hacking the Obamacare exchanges right after Obamacare launched. And there’s a whole other series of hacks. Somebody added them all up and suggested that he has been connected to the theft of 1.2 billion credentials in his hacking career. He's also interesting, because on a couple of occasions he was nearly, well he was in custody, and got away. So at one point he was arrested in Greece and indicted, but in 2013 mysteriously escaped and no one seems to know how. We believe that he is in Russia, but we don't know for sure. He's probably there, pretty well protected. In the underground he has a whole long set of aliases, A.K.A., M4G, Magg, Fedyunya, Quarker.
ALIA:
What does Fedyunya mean?
BOB:
I don't know, sorry. You finally got me. All right.
ALIA:
That’s right, you’re gone, you’re fired.
So we tried to figure out what Fedyunya actually means, but we’re still just as clueless as we were. Sorry, Bob. So he's highly skilled, I mean he’s so experienced, again he's kind of the man for the job. I mean I'm getting the sense that we’re building a dream team.
BOB:
This is maybe an Olympic team of hackers involved in this project.
ALIA:
I mean, we’re talking about champions here.
BOB:
Yeah yeah and people with experience and people who've shown their wares, and also in the case of Alexsey Belan at least, people who know how to play the hacker game, which is you take an assignment like this and somehow you get compensated for doing it, but then you also make a little bit of money on the side. So Alexsey is clever enough that while he was rooting around Yahoo emails, he wasn't just sending the data back to Russia, he was also using it in this clever complex email spam scheme, where he would email people and he would hack search results so that his Viagra links would come up at the top, and so he would make advertising commission. So he was kinda playing both sides on this too.
ALIA:
God, so like while I'm getting paid for my time here at my day job, I should also use the printers to print out my headshots and résumés.
BOB:
That's an interesting metaphor.
ALIA:
I've never done that.
BOB:
I think a better example would be hiring the company printer out to print jobs for other people. Okay so, I think the really important point about Belan, is we need to understand that he's much much more than a professional spammer. Although he is good at that, he's the guy who when it came right down to it did the real hacking work.
ALIA:
Belan is a very impressive hacker, and the indictment outlines several methods he allegedly used to hack his way into Yahoo. The first, we've already discussed: phishing and spearphishing.
KATIE:
Ah, phishing and spearphishing, these are similar terms. Phishing is when an attacker sends out something like an email. That email is forged and tricks the user into clicking on something. Spearphishing on the other hand is much more targeted, users in a network who are going to be more valuable to compromise than others..
ALIA:
This is the most basic bread-and-butter way that Belan would first work his way into the Yahoo network.
BOB:
He used a technique that's called cookie minting, which for starters just shows that this is much more serious than your run-of-the-mill hack.
ALIA:
Cooking minting.
So you probably have a sense of what cookies are.
KATIE:
So you've got a legitimate session, and your browser is basically sending these cookies you know back-and-forth to make sure that you're still logged in when you're supposed to be.
CARSON:
Hey it’s Carson. Don't log me out, I'm still here shopping online for cute dog toys.
ALIA:
Or if you x’d out of a website but wanted to come back, the cookie would make sure you didn't have to enter your password again, because you were just there an hour ago.
CARSON:
Hey it’s Carson. Remember me? I was shopping online for cute dog toys and now I’m back.
BOB:
Well he developed a way so that he could manufacture those cookies for almost anyone, so he could trick Yahoo into thinking whatever computer he was at was anyone else's Yahoo account
Computer. So it was as if he could show up on your account and the remember me box would already be checked and you wouldn’t need to enter a password. In other words he could mint cookies and read anyone's email.
KEITH (AS CARSON):
Hey it’s Carson. Remember me? I was shopping online for cute dog toys, and now I'm back.
ALIA:
And if I changed my password would he automatically get that update?
BOB:
Well yes, for the reason that comes next, which is in addition to cookie minting, he also had access to Yahoo's user database and their account management tool. And so he probably was getting real-time updates. And so even if you had a sense something might be wrong, and you changed your password, or you added maybe even a two factor thing, he would know that too. And he could change them or he could just play along with their rules and get into your account .
ALIA:
The user database is what functions as a searchable database of millions of emails. The account management tool does exactly that, stores all the info for managing your account. In other words, you could change your password if you were worried you'd been hacked, and that new password you set would quickly be updated and stored on the account management tool, which Belan had full access to. Or you could update your security questions, and Belan could control F them by searching through the user database. And then there was something called a log cleaner, which Belan used to cover their tracks and erase any Yahoo logs of network activity. So I is a user was pretty much powerless.
BOB:
You were completely powerless. The assumption that you had that you were engaged in some kind of private communication was wrong.
ALIA:
The work Belan was doing, pulling off sophisticated cookie minting processes and accessing the user database and AMT, coordinating with Dokuchaev and Sushchin on specific targets, all that feels really different than our final of the four indicted Yahoo hackers, Karim Baratov.
Devious Music Cue
That theme isn’t really right for Karim, the 22-year-old Kazakh in Toronto, who unlocked Gmail account for Dokuchaev. Karim’s the only one in US custody. He's currently in a California state prison, where he is awaiting sentencing.
If I'm looking at envelope number one and envelope number two, I would think two different people sent me these letters.
And where he’s also become my penpal.
Because the handwriting is totally different, purposefully. He acknowledges this in the letter.
BOB:
He has alias handwriting? Wow.
ALIA:
When I open the package the envelope here Bob, pops out first this this little piece of origami, it's pink, it’s a star. If you look closely you'll see that it's a character from SpongeBob SquarePants. I believe his name is Patrick. And on the back it says ‘made in jail.’